While announcing details of free identity protection for clients, a US bank revealed that data belonging to up to 1.5 million customers may have been exposed and passed on to a criminal third party.

The revelation by SunTrust Bank was included in a press statement entitled ‘SunTrust to offer free identity protection.’ The bank made the admission in the second paragraph, writing, “The company became aware of potential theft by a former employee of information from some of its contact lists.”

“Although the investigation is ongoing, SunTrust is proactively notifying approximately 1.5 million clients that certain information, such as name, address, phone number and certain account balances may have been exposed,” the statement continued.

Data such as social security numbers, account numbers, PINs, User IDs, passwords, or driver’s license information has not been compromised by the potential breach, according to the bank.

The bank told the Wall Street Journal that the information allegedly stolen may have been provided to a “criminal third party,” and has been investigating it since February. It made the decision to reveal details of the leak publicly after learning there may have been attempts to print the information.

SunTrust chairman and CEO Bill Rogers apologised to clients in a statement, noting that security measures have since been increased. “While we have not identified significant fraudulent activity, we will reinforce our promise to clients that they will not be held responsible for any loss on their accounts as a result,” he said.

The new protection measure, Experian IDnotify, offers features such as identity theft insurance and ‘dark web monitoring.’

SunTrust has branches in 12 southern US states and total assets of $ 205 billion. It made headlines in 2015 when details emerged of a controversial severance package requiring 100 IT workers laid off in Atlanta to be on call either by phone or in person for two years without additional pay. SunTrust removed the clause following media coverage.